The majority of online banking customers reuse their online-banking login credentials on other websites, according to a new survey on password insecurity. Online security firm Trusteer reports that 73 per cent of bank customers use their online account password to access at least one other, less sensitive website. Even worse, …
News flash - sky is blue!!! Surely everyone already knew this. It's bad but it's not news.
To make matters worse people also write all of their log in details down and leave them helpfully by their computer (at work and at home). I'm willing to bet a fair number have their bank PIN written on a scrap of paper with their card too.
I have all my log-in details written down. PIN codes, the lot. All in one file. Well, a few text files.
I'll send you a copy if you like.
You got very, very little chance of reading them as they are held in an encrypted container.
And I ain't telling you what type of container, just to make things interesting.
Good encryption is such a piece of piss that it is now easy to manage the plethora of credentials that modern life demands you have.
Although re-using the same (or closely related) password for a sensitive site is just dumb, dumb, dumb. I do reuse a couple of passwords, but they are just for inane things that have no real purpose (to point of not really needing a password anyway).
Is it decrypted with a single password? Seems like all eggs/one basket scenario?
It's funny that the Microsoft tips linked from the article recommend not storing passwords "on a file in your computer, because criminals will look there first". Trust MS to get this so mind-bogglingly wrong.
These days, we have to create logins for so many different sites, and it would be foolhardy to share passwords between them. With truly secure passwords, it's hard enough to memorise one of them, let alone one for every site.
A single encrypted file seems to me to be the only sensible way to go.
It's better than...
...trying to remember hundreds (literally) of passwords or re-use password across multiple sites.
I could, I guess, split the files out (and I might).
But even if you get into the file, how can you be sure you've got in? Ever heard of "plausible deniability"? Unless I tell you which encrypted file holds my details, how will you know? I could easily store them in a hidden portion of a crypto-file that stores personal, but benign, stuff (images etc).
Terms and conditions don't help
Some of the banks themselves really don't help when it comes to choosing secure passwords: their terms and conditions often prohibit the recording of passwords in any medium, hardcopy or electronic, which is a bit of a bummer as nobody can realistically be expected to remember a different brute-force-resistant password for every site they access. The options are either ignoring the terms and conditions and hope they don't find out, or re-using likely weaker passwords. Not really a good choice when it comes to security.
The alternative of using an encrypted key safe may indeed provide a single point of failure, but it's probably the least worst solution of the lot since remembering just the one password gives more scope for it being hard to crack. Except that it's against the rules.
Still, that's no excuse for people who use passwords like "password" or their kid's name.
...except actually it isn't, since nobody pays any attention to those rules.
Surprise? It's impossible NOT to resue them
Why on earth are they surprised? I'd love to talk to these people--.
This is a generic, unanswered problem for online security. I now have over 100 sites that require user IDs and passwords, and I don't imagine I'm alone - I delibarately avoid adding more unless essential, but it often IS essential.
So, how do I manage these?
1: Different ID/PWD for each. I can't remember them all, so do I write them down? In some form of private code? With a common decryption key?
2: Use the same password everywhere?
3: Use a secure password management "device" - essentially a technical version of 1?
- actually, I have to use a mixture of 1 and 2, as some sites insist on their own UID choice (Inland Revenue/Government Gateway, Lloyds TSB - good on you, but--), and some allow a free choice.
- these are all equally insecure as far as I can see. What I can't see is a solution, unless all sites agree on, for instance, a common RSA fob for me. Pigs will fly--.
These days, there are simply too many things to remember - account numbers, passwords, pin numbers etc etc...
It's impossible to remember them all unless you write them down, use the same password again, or (as I often do) give up on trying to remember some of them and when I need to access some web site again, get the site to email me my password again
I'm not sure there is any real solution to this.
More sites require you to sign up, so they can harvest details, they also always demand a valid email address! I have 9 email addresses already at home for various purposes.
Some sort of central ID thingy is in order, I dunno an "ID database" if you will! Perhaps the government of Microsoft could be trusted to put up some sort of thing?
"What I can't see is a solution, unless all sites agree on, for instance, a common RSA fob for me."
Would that help? A fob is "something you have" and consequently about as secure as a piece of paper with (strong) passwords written on it.
And "common" anything would probably scare the banks into adding a T&C clause saying you couldn't use it. No, dear child, you MUST choose unique MI5-strength passwords and MEMORISE them, for EVERY site that you ever use to buy something. The system has to make it your fault for any breach, because the banks never take risks, do they?
The interesting legal question is "At what point do the banks T&Cs become so unreasonable that they can't be allowed to stand in court?". Sadly, the answer is "As soon as judges get a clue about computer security." which is probably several decades away.
Easy ways to choose strong passwords
I agree that there are too many things to remember these days. However, there are many different ways to choose strong passwords that are easier to remember. My colleague Graham Cluley has provided some tips on how to generate one.
For me, what I do is to create a fusion of a single password and a unique one.
I first create a "single master password" that I change periodically.
Then, for each site, I either append or pre-pend some identifying name/phrase from the site, along with a chosen character/symbol inserted in the site-unique phrase at a particular position in the phrase.
This way, I only have to remember the single master password, the unique character symbol, and where I place the symbol. The site-specific phrase don't have to be remembered. It's a lot easier to remember 3 things than to remember 20+ unique passwords.
Even if one of my accounts is compromised, the other passwords cannot be automatically guessed. It would also be very difficult to guess my password for other accounts unless the phishers know "my system" of generating them.
Hope this helps.
Savio Lau, SophosLabs Canada
I like to think I use strong passwords but when my bank alone requires 4 passwords it's hard to start remembering even more passwords for various other sites...
Unless of course you get into the much safer practise of writing your passwords down ;-)
Abcd1234 never fails me.
Doubt Paris could remember them either.
This is not surprising at all. Most people won't be able to remember (a large number of) distinct usernames and passwords, and certainly not what account and password combination belong to a specific site.
I myself, fully aware of the consequences, use loginnames and passwords (or combinations) for various sites as it is simply to hard to keep track of, even when using excellent tools like KeePasswordSafe.
For banking I use a slightly more complex password (but still based on a combination of other passwords), and I am very happy that my bank uses SMS-authentication for transactions as that is a much simpler additional protection. In my opinion, for most sites it is either not worth the effort to create and remember other passwords.
One password to rule them all, One password to find them, One password to bring them all and in the darkness bind them
one two three four five?
That's the code an idiot has on his luggage!
comb the deserts!
she's turned into .... MEGA-MAID!
Back in the days when they implemented PINs for cash cards, I believe they spent quite some time analysing how the hell to make it secure ish. They ended up punting for a self identifying card, and a 4 digit code - presumably they reckoned most people were too dizzy to remember anything more complex.
Then along comes a bunch of programmer geeks and everything gets over complicated, then same start complaining that noone can keep up.
Unless they come up with something more usable the internet will be dead for commerce within a few years.
"Unless they come up with something more usable...
...the internet will be dead for commerce within a few years."
What a load of poppycock.
ecommerce is here to stay
It's all fine and well for security companies to tell everyone that what they are doing is insecure, but they don't offer any viable solution.
I dread to think the number of different web-sites/forums etc I have accounts with, the reality is that password(s) are reused across any number of them, including my bank site*, but by and large i'm not overly encumbered by a fear that i'm about to lose everything to identity theft or other.
Why ? Because I don't use any public PC's and I never follow a link on an e-mail that I didn't expect (like, for example, click this link to authenticate your account). The problem isn't reusing a password, the problem is people being stupid in the first place.
* My bank use a UID that they gave me and a password and PIN number that I gave them. Further, if someone did get into my account, unless they also stole my bank card and the card reader, all they can do is transfer money to people i've already paid (friends and family) or pay some of my bills for me, from my own account. Damn.
For really important passwords
Write down passphrases e.g. "MyBanksPassword"
Use a little c program to scramble all the letters around, shift some, convert some to numbers and/or fixed chars & pad to say 20 chars.
Root protect the program, change order of swaps occasionally. Don't use Windows for banking ( or at all really)
Care to guess the passphrase for sGsE165Bcb43zfGb3o2z
Thanks Keith, that's brilliant advice.
My 76 year old Dad will be ALL OVER that.
I'll just nip off home and explain C to him, then explain 'root protection', and finally advise him to install ubuntu for when he's banking.
Then maybe we can spend a fun family evening trying to crack your clever code, (he loves Sudoku).
I'll let you know if we get it!
I did randomize...
... for a while... then simply got tired of it. Oww the important passwords tend to be 30+ chars long and also stored in an encrypted container. But for most sites my default username/password usually go. Though if a site uses email I tend to add a suffix to my mail addy(when the site isn't completly stupid and keeps claiming + isn't valid for an email).
Banking IT Fail - Not consumer
Lets be honest - this is human nature and the banks have completely failed to take account of it.
The simple factor is that if they used a decent 2 factor authentication system like a RSA token this would not be so much of an issue.
Most of us have those stupid card/pin readers now - how difficult would it have been to incorporate a RSA token as part of them
There is only one place to lie the blame - at the banks for failing to spend the money on systems that are secure enough regardless of human nature.
if only David Lightman had known...
Greetings Professor Falken.
Would you like to transfer some money?
Then give us better systems...
Insecure banking has got far more to do with technically-dyslexic banks than user passwords. When a bank employee tells me "Security is an ongoing task, and we do our very best to keep ahead" I'm genuinely encouraged. But when some pubescent clerk tells me "Our systems are 100% secure - guaranteed!" you can forgive me for assuming they're clueless. What they mean in fact is that when anything goes wrong, they'll blame the customer.
Banking online and via card machines is inherently insecure, as is almost anything online involving money, but the banks make far too much profit to do anything more than accept (and deny) the losses and pass them on. It isn't the customers who need to pull their socks up security-wise - it's our banks, shops and financial institutions.
They're PAID to do better - the customer isn't.
Incidentally, I've just done a straw poll of friends - hardly statistically accurate I know (but probably no less than Trusteer's effort). The result is that none of us use passwords twice. None of us know anyone who does so. So perhaps this is all less about password security than it is about Darwinism in action...
Do you trust Trusteer?
Be interesting to know whether the customers that participated in this survey knew they were participating...
I've seen some debate on the internet in various places regarding the claims that Rapport makes, and I'm no security expert but some of it does seem questionable. Apparently Rapport 'learns' passwords and sometimes usernames as well. This seems like it's putting all your eggs in it's one basket (http://consumers.trusteer.com/how-exactly-does-rapport-protect-me) Also, where does it store the passwords?
And maybe I'm being paranoid, I resisted installing rapport for a while, then finally did. Now I'm wondering how long before someone cracks it. Be interesting to see a Security Pro's view on Rapport...
Wait a minute! What social networking site
allows you to use a password as weak as the ones the banks require?
So let me get this right, a "trusted" 3rd party company, meant to be about security for online banking harvested data from users, without their consent and analysed not only on-site bank passwords (as might be agreed to by users installing the software) - but off-site passwords from other sites, without the user's implicit consent?
Shades of Phorm here. And a great precedent to tell your bank to take a hike if they ever start to insist on people installing software like this.
I'm a Brit living in Switzerland and my bank has a pretty good system. I have a standard password which I must use in combination with my account number. Then I have a one time password each time i log in based on a set of passwords the bank send me. This list is kept very secure. Without this list no one is getting into my account. Simple but very effective.
"The majority" says it all.
If " the majority" have shown that password based security in a non-runner, then it is a non-runner.
I use two different online banking systems - both have a usernumber + PIN + password system - both use random digits from the PIN and one asks for random characters from the password. To me that seems pretty decent. This will allow you list transactions and make existing bill payments/transfers.
(Aside - always wondered why they don't use a random digit from the PIN number idea at ATMs/chip and pin terminals - then even if someone got you entering the PIN it'd be unlikely to be the same random sequence. And yes, for oldies who can only remember the 4 digits you could offer the choice)
If you want to add new accounts/bills to pay money to one requires you to ring a call centre, answer security questions, then take a call back on the number you gave to them at account opening. The other uses a unique chipped card and fob combination.
So the systems as a while seem quite good.
In terms of passwords I think I'm like a few others here - same general password, but variations thereof. Also an easy way to create pretty good passwords, but remember them - take an album say, then the song titles - then mix up vowels and number like letters. Easy enough to remember (song title) and then if you're made change password X days later pick another song title. e.g.
We have the same system in Finland. It is hard to break. Still some people are happily revealing their list of codes for phishing. Very astonishing, but true.
Still a single password for a bank is absolutely stupid and one wonders how a bank can be so damned stupid (to repeat the stupid again). I think the EU should do something about it and simply forbid it.
For some banks at least, they issue a list of onetime passwords, plus you have your personal password and a PIN. They also print my photo and signature on my bank card, which can only be collected from a branch. But then, unlike UK banks they seem to view their customers as something other than an irritation.
There are no standard systems
Why do some sites limit the length of fields or what characters can be in them? We're told to use special characters but many sites won't let you.
" even if they visit and attempt to enter data into a known phishing site."
all well and good, but what about unknown phishing sites ?
Has anyone told the banks
about Public Key Cryptography and PKI?
The learning curve is a bit steep, but it really addresses the password overload problem.
Of course, the next problem is securing the user's machine, otherwise a friendly trojan steals your cert and passphrase.
Don't use online banking myself:
Usual reason for visiting bank: Withdrawing cash.
Anyone know an online bank that lets me print out banknotes?
Surely banks aren't interested in security?
I get phoned at irregular intervals by both the Bank of Scotland and Egg, demanding from me security information. Incredibly, the calls are actually genuine but the callers always seem put-out when I refuse to divulge information on the ground that they may be phishing.
My usernames and passwords for sundry assorted purposes must run into several thousand. There is no way on earth I could remember that number. Recycling and/or writing them down is a necessity.
In any case, having the correct username and password for a business banking account did me no good the other night -- having left myself with only cryptic clues as to the said username and current password I could not get into the system and assumed that my clues were inadequate to prompt me appropriately. To cut a long story short, the "problem" was that because I hadn't used it for a few weeks the bank had disabled my "security token" digital code generator. The problem was with them, not with me. Now, exactly what nefarious actions I could have got up to with those particular accounts is an interesting question as they were all "View Only."
It's time banks and others got in touch with the real world. In the past ten years I've been defrauded on a credit card transaction once (Supplier had supplied goods to an address other than that of the cardholder, Citibank denied liability, but Financial Ombudsman ruled against Citibank who then paid up), but have to deal with four different instances of banks and other financial institutions paying the entire contents of accounts to persons other than the legitimate depositor or their authorised representative. In two of those instances the banks refused even to reveal to whom the money was paid.
Security should start at home. Clearly banks and other financial institutions have yet to learn that first lesson.
Security must be workable for the end user. It seems that they haven't learned that lesson either.
With so many things around now that need passwords, its hardly surprising. I have ... let me count on my fingers a moment... maybe seven different "base" passwords I use, with a variety of variations on top - swapping letters for numbers, capitalisation and all that. All the same, there are many places I re-use the exact same one simply because there are so many services that require them. A multitude of shopping sites, webmail, messengers, messageboards (including this one), banking, online phone bills, computer logins... oh look at that, even just counting the CATEGORIES we're one-for-one. There's only so many you can remember. I have a feeling that at one point I had an eighth or even an ninth.... and i've since forgotten it and whatever account that was i've had to request a password reset and fallen back to one of the mainstays.
None of them, incidentally, are written down. If I sort out the mess of my life they may go in a sealed envelope in my will. Otherwise they die with me. And pretty much all of them, except one on a very, VERY old webmail account (we're talking mid 90s here) are "strong" - and the weak one is decidedly non-dictionary anyway.
So if someone was to sniff one of my passwords, AND knew much about my other online habits, AND got the usernames I have for them (again, a small selection, used randomly, and not matching up with passwords), they could get access to other parts of my life too. But then you could say similar for house or car keys... but if they can do that, what's to stop them sniffing the sensitive ones directly?
I'm not bothered however. My bank has other security measures on top, including a secret codeword that it asks for a specific letter out of, and use of an online account number that's not related to my actual current or creditcard accounts.
So if a criminal got the relevant password from elsewhere (1 in 7 chance) AND the right variation (about 1 in 18 or so overall), and knew my bank (a further 1 in 20 or more on top), and some of my typical usernames (call it 1 in 5 multiplication - we're up to about 1800:1 now?)... they've still got to discover the online account number (direct observation - in which case they can also get the password and at least one letter of the secret word - or about a 1:10,000,000 chance) and take a stab at what the codeword was (1 in 36 extra).
They could put the work in to try and discover all that, or maybe just pony up a quid for a lottery ticket. The chance of winning the sub-5-grand figure I can take out without having to call up to authorise a loan or extended overdraft/credit limit (phonebanking itself requiring a further password AND six-digit secret code) is SO much better than guessing all that lot.
Hell, even I can't get in some days, and I KNOW the right stuff to enter!
- Breaking news: Google exec veep in terrifying SKY PLUNGE DRAMA
- Geek's Guide to Britain Kingston's aviation empire: From industry firsts to Airfix heroes
- Analysis Happy 2nd birthday, Windows 8 and Surface: Anatomy of a disaster
- Google CEO Larry Page gives Sundar Pichai keys to the kingdom
- Something for the Weekend, Sir? SKYPE has the HOTS for my NAKED WIFE